CNIL (France) - SAN-2022-020
CNIL - Délibération SAN-2022-020 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 3(2)(a) GDPR Article 5(1)(e) GDPR Article 12 GDPR Article 13 GDPR Article 13(2)(a) GDPR Article 21 GDPR Article 25(2) GDPR Article 32 GDPR Article 35(1) GDPR Article 55(1) GDPR Article 56 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 17.11.2020 |
Decided: | 10.11.2022 |
Published: | |
Fine: | 800,000 EUR |
Parties: | Discord |
National Case Number/Name: | Délibération SAN-2022-020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | CNIL (in FR) |
Initial Contributor: | n/a |
The French DPA fined an online communication platform €800,000 for several GDPR violations. Among other things, the controller did not have a data retention period in its privacy policy, provided incomplete information and failed to ensure data protection by default.
English Summary
Facts
The French CNIL (DPA) started an investigation into a company based in the United States (controller). This controller provided a free of charge online service that allowed data subjects to communicate online, including an option for instant messaging and options to create servers and communication rooms, with options for text, voice - and video rooms.
The investigation service of the DPA (investigation service) determined several shortcomings at the side of the controller. During the investigation, the controller stated that it did not have a written data retention policy. The investigation service confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. During the procedure, the controller added a data retention policy, which described that the controller would delete data subject accounts after two years of inactivity.
The investigation service found that the information the controller provided regarding data retention periods was incomplete. There were no specific periods or criteria for determining these retention periods. The controller also fixed this during the procedure.
The investigation service also found an issue with the controller's application on Microsoft Windows, an operating system for desktop - and laptop computers. When a data subject, logged in to a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the application, the application would continue to run in the background and the data subject would remain logged in. However, in the majority of Microsoft Windows applications, clicking on the "X" will close the application. During the procedure, the controller implemented a pop-up window to alert data subjects that the application was still running, when the window is closed for the first time. The controller also informed the data subject that this setting (remain logged in after closure of investigation) could be changed in the settings.
At the time of the online investigation, when creating an account, the controller accepted a password of six characters including letters and numbers. The controller also adjusted this during the proceedings: it now required data subjects to use a password of at least eight characters, with at least three of the four different character types. Also, after ten unsuccessful login attempts, the controller now required a captcha prompt to be solved, which was previously not the case.
The investigation service also determined that the controller had previously considered that it was not necessary to carry out a data protection impact assessment (DPIA). During the procedure, the controller carried out two impact assessments, in which the controller concluded that its processing was not likely to result in a high risk to individuals' rights and freedoms.
Holding
Competence of the DPA
The DPA determined that the controller processed personal data of French data subject and held that the GDPR was applicable pursuant of Article 3(2)(a) GDPR by considering several factors. Among other factors, The DPA considered for example that almost all pages on the controller’s website and in the controller’s application were available in French, except the controller’s privacy policy which was only available in English.
The DPA determined that it was competent to handle this case because the one-stop shop" mechanism (Article 56 GDPR) did not apply in this case, since the controller did not have an establishment on the territory of any EU Member State. Therefore, each national supervisory authority was competent to monitor GDPR compliance on the territory of this member state (Article 55 GDPR), specifically for processing operations carried out by the controller on data subjects residing in that member state.
Failure to define and respect a data retention period appropriate to the purpose (Article 5(1)(e) GDPR)
The DPA confirmed that the controller did not have a written date retention policy at the time of the investigation. The DPA also confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The DPA held that this was a violation of Article 5(1)(e) GDPR, because the controller could not rely on the contractual relationship to indefinitely keep accounts of data subjects who were inactive, but had not unsubscribed. The reason for this was because a new account could be created free of charge. Therefore, an inactive data subject who wished to use the service again, could do so by recreating a new data subject account.
Failure to comply with the obligation to provide information (Article 13 GDPR)
The DPA stated that at the time of the investigation, the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these periods. The DPA held that this was a violation of Article 13 GDPR, because retention periods were stated in a generic manner, without being sufficiently explicit.
Failure to ensure data protection by default (Article 25(2) GDPR)
The DPA also found a violation of Article 25(2) GDPR when it was analyzing the controllers “X” icon at the top right corner of its Windows application. The DPA determined that the controller’s behavior was different in comparison with other Windows applications. The fact that data subjects would click the “X” button in the controller’s application could lead to a situation where this data subject could be heard by other members in the voice room when the data subject thought he/she had closed the application. The DPA considered that the controller should specifically inform data subjects by alerting them that their voice can still be heard by other members. The DPA stated that because of this situation, the data subject's personal data was communicated to third parties without the data subject necessarily being aware of this. The DPA noted that such a setting, in the absence of sufficiently clear and visible information, presented significant risks for data subjects, in particular of intrusion into their private life. The DPA stated that the data subject should either be informed in advance of this setting, or the data subject should enable this setting himself/herself.
Failure to ensure the security of personal data (Article 32 GDPR)
At the time of the online investigation, a password of six characters including letters and numbers was accepted for creating a user account. The DPA considered that the controller's password management policy was not sufficiently strong and restrictive to ensure the security of data subjects' accounts.
Failure to carry out a data protection impact assessment (Article 35 GDPR)
The controller previously considered that it was not necessary to carry out a DPIA. The DPA considered that the controller should have done so, looking at the volume of data processed and the fact that the controller's service was used by minors.
Fine
The DPA imposed a fine of 800,000 euros on the controller. The amount of the fine was based on several factors, such as the number of data subjects concerned, the efforts made by the controller throughout the procedure to become GDPR complaint and the fact that the controller's business model was not based on the exploitation of personal data.
Comment
The DPA also investigated breaches of Articles 12 and 21 GDPR, which were determined by the investigation service. However, the DPA did not follow its investigation service in these instances and held that the controller did not violate these articles.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.